1. Field of the Invention
The present invention relates to the field of electronic commerce, and more particularly to a method and apparatus for authenticating electronic documents.
2. Background Art
Well established mechanisms exist for creating legally binding written instruments. One such mechanism is the application of a handwritten signature to a written document. For certain transactions, authentication of a handwritten signature, for example by a licensed public official such as a notary, is required. Authentication of a signature by a notary requires a personal appearance before the notary. The notary personally witnesses the execution of the signature, inspects identity documents to verify the identity of the person executing the signature, and affixes a notary statement and seal to the signed document. Notarization of a signature provides a level of assurance that the written instrument was in fact executed by person identified by the signature, and prevents repudiation of the signed instrument by the signer.
Electronic, computer based methods of doing business are increasingly displacing traditional paper based methods. Electronic communications and electronic documents are replacing written contracts, orders, payment instruments, account statements, invoices, and other paper documents.
Unlike their paper counterparts, electronic documents do not exist in physical form. Instead, they consist of sets of digital data that may be stored on various types of digital storage media ranging from volatile internal RAM memory to non-volatile ROM memory to magnetic and/or optical disk storage media, and that may be transmitted over various computer communications links including local and wide area networks, and the Internet. Because electronic documents do not have a physical form, the mechanisms devised to create legally binding paper instruments, such as affixing a notarized signature, cannot be used for electronic documents. Accordingly, a need has arisen for alternative mechanisms for creating and authenticating legally binding electronic documents and communications. Digital encryption, digital message digests, digital signatures, and digital certificates are some of the existing cryptographic tools that are used in the present invention to address this need.
Two well known types of cryptography are secret key cryptography and public key cryptography.
Secret key cryptography is a symmetric form of cryptography in which a single key is used to encrypt and decrypt an electronic document. To encrypt an electronic document, the electronic document and the secret key are supplied to a hardware device or a software encryption program that transforms the electronic document into an encrypted electronic document by means of an encryption process that uses the secret key and the electronic document as an input. The original electronic document can only be obtained from the encrypted electronic document by applying a reverse decryption process using the same secret key. Because the same secret key is used for encryption and decryption, both the sender and the recipient of the encrypted electronic document must have a copy of the secret key. The security of secret key cryptography can therefore be compromised by either the sender or the recipient.
Public key cryptography is an asymmetric form of cryptography that uses a two-key pair, typically referred to as a public key and a private key. These two keys are different but constitute a matched key pair. In public key encryption, electronic documents encrypted with either the public or private key of a public-private key pair can only be decrypted using the other key of the key pair. For example, an electronic document encrypted with a public key can only be decrypted using the corresponding private key. Conversely, an electronic document encrypted with a private key can only be decrypted using the corresponding public key.
The terms "public" key and "private" key stem from a manner in which public key cryptography is often used. A party A, concerned about privacy of its incoming communications generates a public-private key pair, using cryptographic hardware and/or software. Party A keeps its private key secret, but freely distributes its public key. Party B wishing to send a confidential electronic document to party A, can encrypt its electronic document using party A's freely available public key. Since the electronic document can then only be decrypted using the corresponding private key, party B can be assured that only party A, in possession of the private key, will be able to decode the encrypted electronic document.
A number of uncertainties arise with respect to the use of public key cryptography. One uncertainty relates to the identity of the owner of the private key that corresponds to the public key. It is possible, for example, that a public key may be circulated that fraudulently purports to be the public key of party A, but the corresponding private key of which is actually held by party C. A sender who encrypts a confidential communication to party A, using the public key the sender believes belongs to party A, will instead be creating a confidential communication that can be decrypted and read only by party C.
A second uncertainty, from the perspective of the recipient, relates to the identity of the sender of an encrypted communication. Since the recipient's public key is freely distributed, encryption of a communication with the recipient's correct public key does not provide any information concerning the sender, other than that the sender is someone who has access to the recipient's public key. As public keys are often freely available from public key repositories, the sender could be anyone.
A third uncertainty concerns the integrity of the communication--that is, there is an uncertainty as to whether the communication received by the recipient is the actual communication sent by the sender. For example, the communication may have been intercepted, modified, or replaced.
Digital signatures and digital certificates have been devised to address some of the uncertainties inherent in public key cryptography.
One of the purposes of a digital signature is to link an electronic document with an owner of the private key corresponding to a particular public key. Additionally, a digital signature can be used to determine whether an electronic document has been altered during transmission of the document from the sender to the recipient.
One form of digital signature uses a message digest. A message digest is a value that is generated when an electronic document is passed through a one way encryption process ("digesting process") such as a hashing routine. An ideal digesting process is one for which the probability that two different electronic documents will generate the same message digest is near zero. In this form of digital signature, both the sender and the recipient need to know which digesting process is being used. The sender generates the electronic document, and generates a message digest by passing the electronic document through the digesting process. The sender encrypts the resulting message digest with the sender's private key. The result, the encrypted message digest, then becomes the digital signature of the electronic document. The digital signature may be appended to the electronic document or kept as a separate entity.
The recipient obtains the electronic document and the digital signature of the sender. The recipient decrypts the digital signature using what the recipient believes to be the sender's public key, obtaining the decrypted message digest X. The recipient processes the received electronic document using the digesting process, obtaining message digest Y. The recipient then compares message digest Y to message digest X. If X=Y, the message digests are the same. This verifies that the electronic document was (1) digitally signed by the private key corresponding to the public key used to recover message digest X, and (2) that the electronic document content was not changed from the time that it was signed to the time that the digital signature was verified. However, the uncertainty remains as to whether the public key used by the recipient to decrypt the digital signature, which the recipient believes is the public key of the sender, is in fact the sender's public key.
The effectiveness of the digital signature, as well as other uses of public key cryptography, thus depends on the level of confidence as to the identity of the holder of the private key corresponding to a particular public key.
Digital certificates are intended to provide a level of assurance as to the identity of the holder of the private key corresponding to a particular public key. The issuers of digital certificates are called certification authorities. A digital certificate constitutes a certification by a certification authority that a particular public key is the public key of a particular entity, and that this entity is the holder of the corresponding private key.
Certification authorities are often commercial enterprises that collect fees for issuing digital certificates. To obtain a digital certificate, an applicant submits an application for a digital certificate together with the applicant's public key and some form of identity verification to a certification authority. The certification authority reviews the application, and if the application meets the criteria established by the certification authority, issues a digital certificate to the applicant.
The digital certificate itself is an electronic document. Although a variety of formats exist, a digital certificate typically includes, among other items, the name of the certification authority, the name of the certificate holder, the expiration date of the certificate, the public key of the certificate holder, and the digital signature of the certification authority. The digital certificate constitutes a certification by the certification authority that the holder of the certificate is the owner of the public key specified in the certificate, and, by implication, is therefore the holder of the corresponding private key.
The authenticity of a digital certificate is tested by verifying the certification authority's digital signature using the certification authority's public key. The level of assurance provided by a digital certificate depends on a number of factors, including the reputation of the certification authority issuing the certificate, the thoroughness of the procedures used by the certification authority in issuing the certificate, and the level of confidence in the certification authority's public key. Some certification authorities issue different levels of certificates, corresponding to different levels of investigation performed by the certificate authority during evaluation of an application.
The authenticity of a digital signature depends largely on the authenticity of the public key used by a recipient to test the digital signature. A digital certificate may be used to help authenticate a digital signature by verifying the authenticity of the certificate holder's public key. The digital certificate may be appended to an electronic document, or the recipient of an electronic document may obtain a copy of the certificate from the issuing certification authority or other certificate repository.
One drawback of using digital certificates for authentication of a digital signature is that a party wishing to digitally sign an electronic document must have previously applied for and obtained a digital certificate. If a party does not have a digital certificate its digital signature is questionable. A second drawback of prior art digital certificates is that certification authorities do not require an applicant to prove that the applicant has actual custody of the private key corresponding to the public key the applicant presents to the certification authority for certification at the time of application. Accordingly, the question remains as to the identity of the real holder of the private key corresponding to the public key identified in the digital certificate.
Accordingly, there remains a need for a means for verification of the authenticity of a digital signature in the absence of a digital certificate, and for verifying that a purported owner of a public key in fact has present custody of the corresponding private key at the time a digital signature is executed.